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Abstract. Ulrich Berger presented a powerful proof of strong normalisation using do- 
mains, in particular it simplifies significantly Tait's proof of strong normalisation of Spec- 
tor's bar recursion. The main contribution of this paper is to show that, using ideas from 
intersection types and Martin-L6f 's domain interpretation of type theory one can in turn 
simplify further U. Berger's argument. We build a domain model for an untyped program- 
ming language where U. Berger has an interpretation only for typed terms or alternatively 
has an interpretation for untyped terms but need an extra condition to deduce strong 
normalisation. As a main application, we show that Martin-L6f dependent type theory 
extended with a program for Spector double negation shift is strongly normalising. 



In 1961, Spector [23J presented an extension of Godel's system T by a new schema of 

definition called bar recursion. With this new schema, he was able to give an interpreta- 
tion of Analysis, extending Godel's Dialectica interpretation of Arithmetic, and completing 
preliminary results of Kreisel [15]. Tait proved a normalisation theorem for Spector's bar 
recursion, by embedding it in a system with infinite terms [25J. In [9], an alternative form of 
bar recursion was introduced. This allowed to give an interpretation of Analysis by modified 
realisability, instead of Dialectica interpretation. The paper [9] presented also a normali- 
sation proof for this new schema, but this proof, which used Tait's method of introducing 
infinite terms, was quite complex. It was simplified significantly by U. Berger |11[ 112], who 
used instead a modification of Plotkin's computational adequacy theorem [19], and could 
prove strong normalisation. In a way, the idea is to replace infinite terms by elements of a 
domain interpretation. This domain has the property that a term is strongly normalisable 
if its semantics is t^_L 

The main contribution of this paper is to show that, using ideas from intersection types 
[3l [18] and Martin-Lof's domain interpretation of type theory [16], one can in turn 
simplify further U. Berger's argument. Contrary to [11], we build a domain model for an 
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untyped programming language. Compared to [12], there is no need of an extra hypothesis 
to deduce strong normalisation from the domain interpretation. A noteworthy feature 
of this domain model is that it is in a natural way a complete lattice, and in particular 
it has a top element which can be seen as the interpretation of a top-level exception in 
programming languages. We think that this model can be the basis of modular proofs of 
strong normalisation for various type systems. As a main application, we show that Martin- 
Lof dependent type theory extended with a program for Spector double negation shift [23^, 
similar to bar recursion, has the strong normalisation property. 



1. An Untyped Programming Language 

Our programming language is untyped A-calculus extended with constants, and has the 
following syntax. 

M, N ::= x \ Xx.M \ M N\c \ f 
There are two kinds of constants: constructors c, c', . . . and defined constants f,g,.... We 
use h,h' , . . . to denote a constant which may be a constructor or defined. Each constant 
has an arity, but can be partially applied. We write FV(M) for the set of free variables of 
M. We write N(x = M) the result of substituting the free occurences of x by M in N and 
may write it iV[M] if x is clear from the context. We consider terms up to a-conversion. 

The computation rules of our programming language are the usual /^-reduction and 
/.-reduction defined by a set of rewrite rules of the form 

/ pi . . . p k = M 

where k is the arity of / and FV(M) C FV(/ p\ . . .pk)- In this rewrite rule, p\, . . . ,pk are 
constructor patterns i.e. terms of the form 

p::= x\cpi...pi 

where I is the arity of c. Like in [11], we assume our system of constant reduction rules 
to be left linear, i.e. a variable occurs at most once in the left hand side of a rule, and 
mutually disjoint, i.e. the left hand sides of two disjoint rules are non-unifiable. We write 
M -> M' if M reduces in one step to M' by 0, /-reduction and M =g )t M' if M, M' are 
convertible by (3, i conversion. It follows from our hypothesis on our system of reduction 
rules that /?, /-reduction is confluent [14|. We write — > (M) for the set of terms M' such 
that M — > M'. 

We work with a given set of constants, that are listed in section [31 but our arguments are 
general and make use only of the fact that the reduction system is left linear and mutually 
disjoint. We call UPL, for Untyped Programming Language, the system defined by this list 
of constants and /-reduction rules. The goal of the next section is to define a domain model 
for UPL that has the property that M is strongly normalizing if \M\ ^_L. 



This is the schema (Vx.-i-<P(x)) — > -i—i\/x.P(x). Spector [23] remarked that it is enough to add this 
schema to intuitionistic analysis in order to be able to interpret classical analysis via negative translation. 
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vnu = v 
c Ui . . . u k n d Vx . . . Vi = v 
cUx...u k nv = v 
(u -> Fi) n (u -» v 2 ) = u^(v 1 nv 2 ) 
cUi... u k nc Vi...v k = c (Uinvi) . . . (u k nv k ) 

U 1 CU 2 U2QU3 Ui^Vi ••• Uk Q V k 

U X CU 3 cU 1 ...U k CcV 1 ...V k 

UQVt U C V 2 



U QU U C n v 2 

U 2 C Z7i Vi C V 2 



7iny 2 c Vi n f 2 c y 2 Ui -> v x c ^ 2 -> ^2 

Figure 1: Formal inclusion 
2. A DOMAIN FOR STRONG NORMALIZATION 



2.1. Formal Neighbourhoods. 

Definition 2.1. The Formal Neighbourhoods are given by the following grammar: 

E7, V ::= V | c U x . . . U k \ U V | U n F 

On these neighbourhoods we introduce a formal inclusion C relation defined inductively 
by the rules of Figure [TJ In these rules we use the formal equality relation U = V defined 
to be U and V C U. We let M. be the set of neighbourhoods quotiented by the formal 
equality. The terminology "formal neighbourhoods" comes from |X5 |, \2\\ [IB]. 

Lemma 2.2. The formal inclusion and equality are both decidable relations, and M. is 
a poset for the formal inclusion relation, and n defines a binary meet operation on M. 
We have c U\...U k ^ d V\ . . .Vi if c ^ d and c U\...U k = c V\...V k if and only if 
U\ = Vi, . . . ,U k = V k . An element in A4 is either V or of the form c U\ . . . U k or of the form 
{U\ — > V\) H . . . n (U n — > V n ) and this defines a partition of A4. Furthermore the following 
"continuity condition" holds: if I is a (nonempty) finite set and f) i&I (Ui — > Vi) C U — > 
then the set J = {i € / | f7 C J7j} is not empty and Higj Vi Q V- Note that there is no 
maximum element, where there usually is one. This is linked to the fact that we are aiming 
to prove strong normalisation, not weak normalisation. 

Similar results are proved in [5j O [TJ El [16] . 

Proof. We introduce the set of neighbourhoods in "normal form" by the grammar 

W,W ::= V \ cWi ... W k \ I 

I ::= (Wi — > w{) n • • • n (W n — > M 7 ^) 

and define directly the operation n and the relation C on this set. An element in normal 
form W is of the form V or c W\ . . . W k or is a finite formal intersection f]X where 
X is a nonempty finite set of elements of the form W — * W. The definition of n and 
C will be recursive, using the following complexity measure: |V| = 0, \c W\ ... W k \ = 
1 + max{\Wxl . . . , \W k \) and | n< (Wi -» W[)\ = 1 +max i {\W i \, \W(\). 
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We define 

v nw = w nv = v 

c Wi ... W k n c w{ ... W k = c (Wi n w[) ... (w k n w' k ) 
cWx ... w k nd W{ ... W{ = V 
cW x ... w k n (nx) = (nx) n c Wi ... w k = v 
(nx)n(ny) = n(xuY). 

Notice that we have \W\ n^ 2 |< max(\Wi\, \W 2 \). 

We have furthermore V C W and c Wi ... W fc n c W{ ... W' k iff Wi C W/ for all i 
and finally nX C nY iff for all W -»■ W' in Y there exists W x -»■ W[, W k -> W£ in X 
such that W C Wi, . . . , W C W fc and W{ n • • • n WjJ C W. This definition is well founded 
since \W[ fl • • • D WL\ < [ (~l X| and \W'\ < | C\Y\. One can then prove that relation C and 
the operation n satisfies all the laws of Figure [U on the set of neighbourhoods of complexity 
< n by induction on n. 

Since all the laws of Figure Q] are valid for this structure we get in this way a concrete 
representation of the poset M., and all the properties of this poset can be directly checked 
on this representation. □ 

We associate to M. a type system defined in Figure [2] (when unspecified, k is the 
arity of the related constant). It is a direct extension of the type systems considered in 
El El \7\ [16]. The typing rules for the constructors and defined constants appear to be 
new however. Notice that the typing of the function symbols is very close to a recursive 
definition of the function itself. Also, we make use of the fact that, as a consequence of 
Lemma |2.2( one can define when a constructor pattern matches an element of A4. 

Lemma 2.3. If T Xx.N : U then there exists a family J7j, Vi such that T,x : Ui H_A/j N : 
Vi and r\(Ui ^Vi)CU. 

Proof. Direct by induction on the derivation. □ 
Lemma 2.4. If T h M Xx.N : U -» V then T, x:U V M N : V. 

Proof. We have a family Ui, Vi such that T,x : Ui \~m N : Vi and C\i(Ui -> Vi) C U -> V. 
By Lemma [231 there exists ix,...,i k such that U C U^ , . . . , U C Ui k and V^ Pi • • • Pi V{ h C V. 
This together with r, re : L7j h M N : Vi imply T,x : U h M N : V. □ 

Lemma 2.5. If T V M N M : V then there exists U such that r \~ M N : U -> V and 
Proof. Direct by induction on the derivation. □ 



2.2. Reducibility candidates. 

Definition 2.6. S (the set of simple terms) is the set of terms that are neither an abstrac- 
tion nor a constructor headed term, nor a partially applied destructor headed term (i.e. 
f Mi . . . M n is simple if n is greater or equal to the arity of /). 

Definition 2.7. A reducibility candidate X is a set of terms with the following properties: 
(CR1): X C SN 
(CR2): -> (AT) C X if M G X 
(CR3): M £ X if M G <S and -» (M) C X 
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x : U € r 
r \- M x : U 

r \- M c : Ux -> • • • -> C/fe -> c I7i . . .U k 
T,x:U\-m M : Y 
T \- M Xx.M :U^V 
Th M N:U^V Fh M M :U 
Th M N M :V 
Th M M :U Th M M : V 
Th M M :UnV 
Th M M :V VQU 
Th M M :U 

f Pl ...p k = M Pi (W u ...,W n ) = Ui 
T,x 1 :W 1 ,...,x n :W n \- M M :V 

r Km / : u x -> . . . -> c/ fc -> y 

for any U\, . . . ,Uk such that 
no rewrite rule of / matches Ui, . . . ,Uk 

r I-a, / : I7i - . . . - tf fc -> V 
Figure 2: Types with intersection in 

It is clear that the reducibility candidates form a complete lattice w.r.t. the inclusion 
relation. In particular, there is a least reducibility candidate i?o, which can be inductively 
defined as the set of terms M G S such that — > (M) C R . For instance, if M is a variable 
x, then we have M £ Rq since M € S and — > (M) = 0. 

We define two operations on sets of terms, which preserve the status of candidates. If 
c is a constructor of arity k and X\ , . . . , X/% are sets of terms then the set c X\ . . . X& is 
inductively defined to be the set of terms M of the form c M\ . . . , with M\ G X\ . . . £ 
Xk or such that M65 and — ► (M) C c Xi . . . X^. If X and Y are sets of terms, X — > Y 
is the set of terms N such that X M € Y if Mel 

Lemma 2.8. If X and Y are reducibility candidates then so are X n Y and X — > Y. If 
Xi , . . . , Xk are reducibility candidates then so is c X\ . . . X& . 

Definition 2.9. The function [— ] associates a reducibility candidate to each formal neigh- 
bourhood. 

• [V] 4 tfo 

. [cC/!...^]^^]...^] 

• [U - Y] 4 [[/] -> [Y] 

• [[/ n Y] = [[/] n [Y] 
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Lemma 2.10. If U C V for the formal inclusion relation then [U] C [V] as sets of terms. 

This follows from the fact that all the rules of Figure [1] are valid for reducility candidates. 

Theorem 2.11. If M : U then M G [U]. In particular M is strongly normalising. 

As usual, we prove that if x% : U\, . . . ,x n : U n \~m M : U and Mi G [Ui], . . . , M n G [U n ] 
then M(x\ = Mi, ■■■ ,x n = M n ) G [U]. This is a mild extention of the usual induction on 
derivations. We sketch the extra cases: 

• Subtyping: direct from Lemma 12.101 

• Constructor: direct from the definition of [c U\ . . . 

• Defined constant (case with a rewrite rule): we need a small remark: since d Mi . . . Mi g" 
S for any I, we have that d M\ . . . Mi G c X\ . . . implies d = c and I = k by 
definition of c X\ . . . X}~. Knowing this we get that if iVj G . . . , [W n ])), then 

/ N\ . . . Nk can only interract with one rewrite rule (remember that there is no 
critical pair) . The definition of c X\ . . . X^ also tells us that if the iV, are equal to 
Pi (Mi, . . . , M n ), then Mj G Wj. From this the result follows easily. 

• Defined constant (case with no rewrite rule): we need the same remark as in the 
previous case: d M\ . . . M\ G c X\ . . . Xj. implies that d = c and I = k. Additionally, 
[V] does not contain any constructor- headed term (since [V] C <S). A consequence 
of these two remarks is that there cannot be any fully applied constructor-headed 
term in [U — > V], by simple induction. In particular there is no term matched by a 
pattern in [U — > V}. Thus, since there is no rule matching the Ui, . . . ,Uk, we know 
that for any N± G [Ui], . . . , G [[/&], f N\ . . . is not matched by any rewrite 
rule; it is, however, a simple term. It follows easily that / N\. . . Nf. G [V]. □ 

2.3. Filter Domain. 

Definition 2.12. An I-filteR over M. is a subset a C A4 with the following closure prop- 
erties: 

• if U, V G a then U n V G a 

• if U G a and U CV then V G a 

It is clear that the set D of all I-filters over M. ordered by the set inclusion is a complete 
algebraic domain. The finite elements of D are exactly and the principal I-filters \ U = 
{V | U C V}. The element T =| V is the greatest element of D and the least element is 
±=0. 

We can define on D a binary application operation 

a 13 = {V | 3U, U -> V G a A U G /?} 
We have always a _L=_L and T f3 = T if f3 ^_L. We write a% . . . a n for (. . . (qi 02) • . .) a n . 



'This terminology, coming from [B], stresses the fact that the empty set is also an I- filter. 
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2.4. Denotational semantics of UPL. As usual, we let p, v, . . . range over environments, 
i.e. mapping from variables to D. 

Definition 2.13. If M is a term of UPL, [M] p is the I-filter of neighbourhoods U such 
that xi'.Vi, . . . ,x n :V n \~m M : U for some V{ G p{xi) with FV(M) = {x\, . . . ,x n }. 

A direct consequence of this definition and of Theorem 12.111 is then 

Theorem 2.14. If there exists p such that {Mj p ^ _L then M is strongly normalising. 

Notice also that we have {Mj p = {MJ U as soon as p(x) = v(x) for all x G FV(M). 
Because of this we can write [M] for \M\ p if M is closed. If c is a constructor, we write 
simply c for [c]. 

Lemma 2.15. We have c ax • • • ctfc 7^ d fix . . . j3i if c ^ d and c ai . . . = c /9i . . . 0k if and 
only if oi\ = (3\ . . .at = (3k, whenever on ^_L, /3j t^_L. An element of D is either 1, or T 
or of the form c a\ ... with c of arity k and «j 7^_L or is a sup of elements of the form 
I (U —*V). This defines a partition of D. 

Proof. Follows from Lemma 12.21 □ 

As a consequence of Lemma 12.151 it is possible to define when a constructor pattern 
matches an element of D. The next result expresses the fact that we have defined in this 
way a strict model of UPL. 

Theorem 2.16. 

Hp = p{x) 

\N Mj p = IN} P IM} P 

{\x.M] p a = [Mj {PjX:=a) ifa^X 
If / p\ . . . pk = M and «j = \pi} p then [/] a± . . . ctk = {Mj p . If there is no rule for / which 
matches a±, . . . ,ak and ax,...,aj- are t^_L then [/] a.\ . . . = T. Finally, if for all a ^ _L 
we have \M\ {p ^ =a) = {Nj^ y ., =a) then [\x.M\ p = {\y.N\ v . 

Proof. The second equality follows from Lemma 12.51 and the third equality follows from 
Lemma 12.41 □ 

Corollary 2.17. \N(x = M)\ p = \N\^ x=mp) 



3. Application to Spector's Double Negation Shift 

The goal of this section is to prove strong normalisation for dependent type theory 
extended with Spector's double negation shift [23J. The version of type theory we present is 
close to the one in [T7j: we have a type of natural numbers Nat : U, where U is an universe. 
It is shown in [T7j, using the propositions-as-types principle, how to represent intuitionistic 
higher-order arithmetic in type theory. It is then possible to formulate Spector's double 
negation shift as 

(ITn : Nat.-.-.£ n) -> -.-.Tin : Nat.5 n 
where —*A is an abreviation for A — > No and B : Nat — > U. Spector showed |23j that it is 
enough to add this schema (Axiom F in [23J) to intuitionistic analysis in order to be able 
to interpret classical analysis via a negative translation. We show how to extend dependent 
type theory with a constant of this type in such a way that strong normalisation is preserved. 
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It follows then from [23] that the proof theoretic strength of type theory is much stronger 
with this constant and has the strength of classical analysis. 

3.1. General Rules of Type Theory. We have a constructor Fun of arity 2 and we 
write Ux:A.B instead of Fun A (Xx.B), and A — > B instead of Fun A (Xx.B) if x is not 
free in B. We have a special constant U for universe. (We recall that we consider terms up 
to a-conversion.) A context is a sequence x\ : A\,. . . ,x n : A n , where the Xi are pairwise 
distinct. 

They are three forms of judgements 

Th ATh M : ATh 

The last judgement T h expresses that T is a well- typed context. We may write J [x : A] 
for x : A h J. 



The typing rules are in figure [3TT1 



r h a 



h T,x:Ah 
rh Th A:U F,x : A\- B 



r h u rh a r h Ux-.a.b 

(x : A) G T T h T,x : Ah M : B F h N : Ux:A.B T h M : A 



r h x : A rh Xx.M : Ux:A.B T h N M : B[M] 

FhM: AThBA = Pjl B 
rhM:B 

We express finally that the universe U is closed under the product operation. 

rhi:Ur,i:4hB:U 
r h Ux:A.B : U 



Figure 3: Typing Rules of Type Theory 
The constants are the ones of our language UPL, described in the next subsection. 

3.2. Specific Rules. We describe here both the untyped language UPL (which will define 
the t reduction) and the fragment of type theory that we need in order to express a program 
for Spector double negation shift. The constant of form (op) are used as infix operators. 

The constructors are U, Nat,N ,Ni,0 (arity 0), S, Inl, Inr (arity 1) and (+), (x), Fun, Pair 
(arity 2). To define the domain D as in the previous sections, it is enough to know these 
constructors. 

The defined constants of the language UPL are vec, get, trim, T, head, tail, (<), less, Rec, 
exit, The arities are clear from the given t-rules. From these t-rules it is then possible 

to interpret each of these constants as an element of the domain D. 

At the same time we introduce these constants (constructors or defined constants) we 
give their intended types. 
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First we have the type of natural numbers Nat with two constructors: 

Nat : U 
: Nat 
S : Nat 

We also add the natural number recursor Rec so that the language contains Heyting 
airthmetic: 

Rec : C -> (Un : Nat.C n -> C (S n)) -> Un : Nat.C n[C : Nat -> U] 
Rec P Q = AT 
Rec P Q (S x) = M x (Rec N M x) 

In addition we add type connectives. (+) stands for the type disjunction, and (x) for 
the pair type: 

(+) : U -> U -> U 
Inl : A^A + P[A,P:U] 
Inr : P A + P [A,B : U] 

(x) : U -> U -» U 

|| Pair : A -» P -> A x P [A, P : U] 

We write (x, y) instead of Pair x y, and (x±, . . . , x n ) for (. . . (xi, X2), • • • , x n ). 
We also need the empty type No (with no constructor): 

N :U 

with which we can define exit, its elimination rule, also known as ex falsum quod libet 
and the negation -1: 

exit : N -» A [A : U] 

- : U -> U 

|| -1 A = A^N 

Notice that the constant exit has no computation rule. 

The last type we need to define is Ni, the unit type (i.e. with only one trivial construc- 
tor), in other word the type "true": 

Ni : U 
|| : Ni 

Notice that is polymorphic and is a constructor of both Ni and Nat. 

We can now start defining the more specific functions of our language. First comes (<). 
It decides if its first argument is less or equal to its second one. Note that it returns either 
Ni or No which are types. This is an example of strong elimination, i.e defining a predicate 
using a recursive function. 

(<) : Nat^ Nat^ U 
< n = Ni 
(S x) < = N 

(S x) < (S n) = x < n 

Consequently we have the function less which proves essentially that (<) is a total 
ordering: 
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less : IIx : Nat.IIn : Nat.(S x < n) + (n < x) 
less x = Inr 
less (S n) = Inl 
less (S x) (S n) = less x n 

In order to write the proof of the shifting rule it is convenient to have a type of vectors 
vec B n, which is intuitively (. . . (Ni x P 0) . . . ) x B (n — 1) and an access function of type 
Iln : Nat.ILr : Nat.(5 x < n) -> vec B n -> B x 

Notice that this access function requires as an extra argument a proof that the index 
access is in the right range. To have such an access function is a nice exercise in programming 
with dependent types. 

This has to be seen as the type of finite approximations of proofs of Iln : Nat.P n. 
And the access function is the respective elimination rule (i.e. a finite version of the forall 
elimination rule of natural deduction) . 

The type of vectors vec is defined recursively 

vec : (Nat -> U) -» Nat -» U 
vec B = Ni 
vec B (S x) = (vec B x) x B x 

With vec come two simple functions head and tail accessing respectively the two compo- 
nent of the pair (any non-0- indexed vector is a pair of an "element" and a shorter vector) : 

head : Tlx : Nat.(vec P (S x)) ^ P x 
|| head x (v, u) = u 

tail : Tlx : Nat. (vec B (S x)) — > vec B x 
|| tail x (v, u) = v 

In order to build the access function for type vec (which is supposed to extract the 
element of type B x from a vector of a length longer than x) we introduce a function trim 
which shortens a vector of type vec B n into a vector of type vec B x by removing the n — x 
first elements. The reason why such a function is useful is because we are trying to read 
the vector from the inside to the outside. 

T : (Nat-> U) -> U 

|| T P = Uk: Nat.P (S k) -> P k 

trim : Yin : Nat.Hm : Nat.(n < m) -»■ IIP : Nat -> U.T P -> P m -> P n 
trim p P h v = v 
trim (S m) p P h v = trim m P h (h m v) 
trim (S n) p P h v = exit p 

trim (S n) (S m) p P h v = trim n m p (Xx.P (S x)) (Ax./i (S x)) u 

As a consequence of the function trim we can define in a rather simple way the access 
function get: 

get : IIP : Nat -> U.IIn : Nat.ILr : Nat.(S x < n) -> vec P n -> P x 
|| get B n x p v = head x (trim (S x) n p (vec P) tail 

We need the following result on the domain interpretation of this function get. To 
simplify the notations we write h instead of [/i] if h is a constant of the language. We also 
write I for S l 0. 
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Lemma 3.1. Let u / 1,?/ / 1 and B such that for any I, B (S l T) ^ _L and B I ^ _L (in 
particular, B ^ _L). If x = q with g < p then get p x v = get p + 1 x (v,y). If x = S 9 T 
with q < p then get p x v = T . 

Proof. Let us prove that if x = q with q < p then get p x v = get p + 1 x (v,y). The 
proof of the second part of the Lemma is similar. It is proved by the following sequence of 
propositions 

• If h = [Ax./ (S x)hf=h) 7^ -L and h m u = h T u for any m, u, q < p, t ^ _L, v ^ _L 
and P {S l T) ^ _L for any I (in particular, P^l), then trim qptPv = (h T) p ~ q v. 

This is proved by simple induction on q and p. Using the definition of trim together 
with TheoremEnSland the fact that P (S l T) ^ _L implies that [A/./ (S x)] (/=P) (S z T) = 
p (S l+l T) ^ ± for any L 

• tail = [Ax./ (S x)](j =ta ii) ^ X and tail m u = tail T u. By Theorem 12.161 

• If B (S l T) / 1 and B I / 1, then for all I vec B (S l T) ^ _L. It is direct by 
induction on I using the definition of vec and Theorem 12.161 

• Finally 

get p + 1 x (v, y) = head x (trim (S x) p + 1 (vec B) tail (v, y)) 
= head x ((tail Jf'l (v,y)) 
= head x ((tail T) p-9_1 u) 
= head x (trim (S x) p (vec S) tail u) 
= get p x v 

□ 

We can now introduce two functions $ and fy, defined in a mutual recursive way. They 
define a slight generalisation of the double negation shift: 

$ : ILB : Nat -> U.(LIn : Nat.^B re) -> i(nn : Nat. 5 n) -> lire : Nat.^vec B n 
\I> : TLB : Nat — > U.Tlre : Nat. n) -> -.(Hn : Nat.5 re) -» 

Lire : Nat. vec B re — ► IIx : Nat.(S x < re) + (re < x) — ► B x 

& B H K n v = K (Ax.* B H K n v x (less x re)) 

^ B H K n v x (Inl p) = get B n x p v 

^ B H K n v x (Inr p) = exit (if re (Ay.$ B H K (S n) (v, y))) 
The program that proves Spector's double negation shift 

ILB : Nat -> U.(nre : Nat.-.-.£ re) -> ->-i(IIn : Nat.B re) 
is then \B.\H.\K.<$> B H K 0. 

4. Model of type theory and strong normalisation 

4.1. Model. We let Pow(D) be the collection of all subsets of D. If X G Pow(D) and 
F : X -> Pow(D) we define II(X, F) G Pow(D) by v G U"(X, F) if and only if u G X implies 
i> u G F(u). 

A totality predicate on D is a subset X such that X and T G X. We let TP(D) be 
the collection of all totality predicates. 

Lemma 4.1. If X G TP(D) and F : X -> TP(D) then II(X,F) G TP(D). 
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Proof. We have Tel. If v G n(X, F) then v T G F(T) and so f T /_L and w hold. 
If u G X then « so that T u = T G F(u). This shows T G II(A, F). □ 

Definition 4.2. A mode/ of type theory is a pair T, El with T G TP(D) and El :T —> TP(D) 
satisfying the property: if A G T and it G El(A) implies F u G T then Fun A F £ T. 
Furthermore FZ(Fun A F) = U(El(A), Xu.El(F it)). 

If we have a collection of constants with typing rules \- h : A we require also {Aj G T 
and [Zt] G FZ([A]). 

Finally, for a model of type theory with universe U we require also: U G T, FZ(U) C T 
and Fun yl F G F/(U) if A G FZ(U) and F u G F/(U) for u G FZ(A). 

The intuition is the following: T C D is the collection of elements representing types 
and if A G T the set El A is the set of elements of type A. The first condition expresses that 
T is closed under the dependent product operation. The last condition expresses that U is 
a type and that El (U) is a subset of T which is also closed under the dependent product 
operation. 

The next result states the soundness of the semantics w.r.t. the type system. 

Theorem 4.3. Let A be a context. Assume that {A} G T and p(x) G FZ([L4] ) for x:A in 
A. If A h A then [A] p G T. If A h M:A then {AJ p G T and \M\ p G El{\A\ p ). 

Proof. Direct by induction on derivations, using Theorem 12.161 and Corollary 12.171 For in- 
stance, we justify the application rule. We have by induction [N\ p G El (Fun \A\ p \\x.B\ p ) 
and [Mj p G El(lAj p ). It follows that we have 

fN Mj p = {Nj p \M\ p G El(\\x.B\ p \M\ p ) 

Since El(\A\ p ) G TP(D) we have [M] p /_L. Hence by Theorem EH] and Corollary ETT] we 
have 

{\x.B\ p \M\ p = {Bj PjX=mp = [B[M]\ p 
and so [N Mj p G El{[B[M]} p ) as expected. □ 

4.2. Construction of a model. 

Theorem 4.4. The filter model D of UPL can be extended to a model T G TP(D), El : 
T^TP(D). 

Proof. The main idea is to define the pair T, El in two inductive steps, using Lemma 12.151 
to ensure the consistency of this definition. We define first To, El. We have T G To and 
T G El (A) if A G To. Furthermore, we have 

• N G T 

• Ni G T and G F/(Ni) 

• Nat G T and G FZ(Nat) and S x G El (Hat) if x G FZ(Nat) 

• A + B G T if A, B G T and Inl x G El(A + B) if x G El(A) and Inr y G El(A + B) 
if y G FZ(F) 

• A x F G T if A, B G T and (x, y) G F/(y4 x F) if x G F/(A) and y G F/(F) 

• Fun A F G T if A G T and F x G T for x G El(A). Furthermore w G F/(Fun A F) 
if id x G El(F x) whenever x G El (A) 

We can then define T D To and the extension FZ : T — > TP(D) by the same conditions 
extended by one clause 
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• N G T 

• Ni G T and G El{Hx) 

• Nat G T and G El(Nat) and S x G £/(Nat) if x G FZ(Nat) 

• A + 5 G T if A, 5 G T and Inl x G El(A + B) if x G £Z(A) and Inr y G £Z(v4 + 5) 
if y E El(B) 

• A X 5 G T if A, B G T and (x, y) G £Z(v4 x J3) if x G £Z(,4) and y G El(B) 

• Fun iFGTifieT and F x G T for x G £7(A). Furthermore io G El(Fun A F) 
if ui x G El(F x) whenever x G El (A) 

• U G T and Etf(U) = T 

The definition of the pair T, El is a typical example of an inductive-recursive definition: 
we define simulatenously the subset T and the function El on this subset. The justification 
of such a definition is subtle, but it is standard [2, 8, 22]. It can be checked by induction that 
T G TP(D) and El(A) G TP(D) if A G T. The next subsection proves that [hj G El ({A}) 
if h h:A is a typing rule for a constant Zi. □ 

4.3. Strong normalisation via totality. It is rather straightforward to check that we 
have {hj G £7([yl]) for all the constants h : A that we have introduced except the last two 
constants $ and For instance [exit] G El(bl — > A) for any A e T since F/(N ) = {T} 
and [exit] T = T is in El(A). To check [/t] G £7([yl]) is more complex for the last two 
functions. 

Theorem 4.5. For all constants h : A that we have introduced, we have [/i] G .E7([j4]). 

Proof. To simplify the notations we write h instead of [/i] if h is a constant of the language, 
and we say simply that h is total instead of h G El{A). The only difficult cases are for the 
constants $ and It is the only place where we use classical reasoning. We only write the 
proof for $, the case of is similar. 

Assume that $ is not total. We can then find total elements B G £7(Nat — > U), 
H G El(Fun Nat (Xx.^ (B x))), K G £/(-. (Fun Nat B)), n G FZ(Nat) and v G n) 
such that § B H K n v does not belong to EI(Nq) = {T}. Since 

®BHKnv = K (Ax.* B H K n v x (less x n)) 

and X is total, there exists x G £7(Nat) such that ^ B H K n v x (less x n) is not total at 
type B x. Given the definition of * this implies that less x n is of the form Inr h. It follows 
from the definition of less that n is of the form p. Furthermore 

* B H K n v x (less x n) = exit (H p (\y.® H K p+1 (v, y))) 

is not total. Since H is total, there exists y p G El (B p) such that $ B H K p + 1 (v, y p ) 
is not total. Reasoning in the same way, we see that there exists y p +\ G El (B p+l) 
such that <I> B H K p + 2 (v,y p , y p +i) is not total. Thus we build a sequence of elements 
y m G El (B m) for m > p such that, for any m 

<S> B H Km (v,y p ,..., y m _i) ^ T 

Consider now an element x = q. For m > q we have S x < m = N i and we take / x to 
be get m x (u, y p , . . . , y m -i). This is well defined since we have for mi,m2 > q by Lemma 

get 5 ml x (u, j/ p , . . . , y mi -i) = get B rfpj x (v, y p , . . . , y m2 _i) 
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We take also / (S q T) = T. This defines a total element / in El (Fun Nat (Xx.El (B x))). 
Since K is total, K f is total and belongs to El (No) = {T}. Hence K f = T. Since T is a 
finite element of D we have by continuity K fo = T for some finite approximation /o of /. 
In particular there exists m such that if g m (S q 0) = / (S q 0) and g m (S q T) = / (S q T), 
for all q < m, then K g m = T. If we define 

g m x = ^ B H K m (v,y p , . . . , y m -i) x (less x fn) 

we do have g m (S q 0) = / (S 9 0) and g m (S q T) = / (S 9 T) for all q < m. Hence K g m = T. 
But then 

& B H K m (v,y p , . . . , y m -i) = K g m = T 
which contradicts the fact that the element B H K m (v, y p , . . . , y m —l) is not total. □ 

Like in [11], it is crucial for this argument that we are using a domain model. These 
constants make also the system proof-theoretically strong, at least the strength of second- 
order arithmetic. 

Corollary 4.6. If h A then {A} /_L. If I- M : A then [M] /_L. 

Proof. If h A we have by Theorem S3] that {A} G T. By Theorem S3] we have T G TP(D). 
Hence {Aj ^_L. Similarly, if h M : A we have by Theorem S3] that [A] £ T and [M] G 
By Theorem S3 we have T G TP(D) and G TP(D). Hence {Aj and 

[M]/L. □ 

By combining Corollary 14.61 with Theorem 12.141 we get 

Theorem 4.7. If h A then A is strongly normalisable. If h M : A then M is strongly 
normalisable. 



Conclusion 

We have built a filter model D for an untyped calculus having the property that a 
term is strongly normalisable whenever its semantics is t^_L, and then used this to give 
various modular proofs of strong normalization. While each part uses essentially variation 
on standard materials, our use of filter models seems to be new and can be seen as an 
application of computing science to proof theory. It is interesting that we are naturally lead 
in this way to consider a domain with a top element. We have shown on some examples 
that this can be used to prove strong normalisation theorem in a modular way, essentially 
by reducing this problem to show the soundness of a semantics over the domain D. There 
should be no problem to use our model to give a simple normalisation proof of system F 
extended with bar recursion. It is indeed direct that totality predicates are closed under 
arbitrary non empty intersections. By working in the D-set model over D [241 14"]. one should 
be able to get also strong normalisation theorems for various impredicative type theories 
extended with bar recursion. 

For proving normalisation for predicative type systems, the use of the model D is proof- 
theoretically too strong: the totality predicates are sets of filters, that are themselves sets 
of formal neighbourhoods, and so are essentially third-order objects. For applications not 
involving strong schemas like bar recursion, it is possible however to work instead only with 
the definable elements of the set D, and the totality predicates become second-order objects, 
as usual. It is then natural to extend our programming language with an extra element T 
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that plays the role of a top-level error. As suggested also to us by Andreas Abel, it seems 
likely that Theorem 12.111 has a purely combinatorial proof, similar in complexity to the one 
for simply typed A-calculus. He gave such a proof for a reasonable subsystem in pQ. 

A natural extension of this work would be also to state and prove a density theorem for 
our denotational semantics, following [13J. The first step would be to define when a formal 
neighbourhood is of a given type. 

In [61 [18], for untyped A-calculus without constants, it is proved that a term M is 
strongly normalizing if and only if [M] t^_L. This does not hold here since we have for 
instance Nat strongly normalizing, but [0 Nat] =_L. However, it may be possible to find 
a natural subset of terms M for which the equivalence between M is strongly normalizing 
and [M] holds. Additionally, Colin Riba showed this result for a system where the 
neighbourhoods are closed by union but were the rewrite rules are weaker [20| . 

Most of our results hold without the hypotheses that the rewrite rules are mutually 
disjoint. We only have to change the typing rules for a constant / in Figure [2] by the 
uniform rule: T \~m f : U\ — » V if for all rules / p\ . . .pf. = M and for all 

W 1 ,...,W n such that Pi(Wi , W n ) = £/» we have T,x 1 : Wi, . . . , x n : W n \~ M M : V. 
(This holds for instance trivially in the special case where no rules for / matches U%, . . . , U n .) 
For instance, we can add a constant + with rewrite rules 

+ n = n 

+ n = n 

+ n (S m) = S (+ n m) 

+ (S n) m = S (+ n m) 

and Theorem 12.141 is still valid for this extension. 
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